Dropbox 18 – Dropbox Client (Windows)

There are two ways that we can connect to our Dropbox Relay to establish our tunnels. Since we likely aren’t as restricted as our client environments we can connect directly through SSH. We can also connect just like the Dropbox Server over SSL/TLS to the HAProxy on port 443 so that we can block all access to the Dropbox Relay on port 22. Both methods will be demonstrated below.

Create Tunnels (SSH)

Create a session, we’ll name it DBOX01-Tunnels-SSH, with the following basic options.

Host Name: dbox-relay@<FQDN of Dropbox Relay>
Port: 22

Putty Tunnels SSH – General

Set the private key to use for authentication.

Putty Tunnels SSH – Auth

Forward local ports to tunnels on the Dropbox Relay. The local (L) ports here should be noted for use later but are mostly arbitrary (can’t be used by other services). The destination is the Dropbox Relay and those ports must correspond with the reverse SSH tunnels created by the Dropbox Server.

In this example we are creating the following mappings:

Dropbox Server 01

Dropbox Relay

Dropbox Client 01

SSH

22

11095

11095

VNC

5901

11096

11096

HTTP Proxy (Squid)

3128

11097

11097

SOCKS Proxy

9999

11098

11098

Dropbox Server 02

Dropbox Relay

Dropbox Client 02

SSH

22

12095

12095

VNC

5901

12096

12096

HTTP Proxy (Squid)

3128

12097

12097

SOCKS Proxy

9999

12098

12098

Putty Tunnels SSH – Tunnels

This will be repeated on the Dropbox Client for as many Dropbox Servers as you have.

After making all of your changes remember to go back up to Session and click Save.

Now select Open and you should be challenged for the passphrase to your private key. After entering it you will have an interactive shell on the Dropbox Relay and all of your tunnels should be tied to local ports.

Create Tunnels (SSL/TLS)

Create a session, we’ll name it DBOX01-Tunnels-SSL, with the following basic options.

Host Name: dbox-relay@localhost
Port: 22

localhost in this case refers to the Dropbox Relay as we will have already created an SSL/TLS tunnel to the host as seen in a subsequent step.

Putty Tunnels SSL – General

The private key authentication and tunnels setup are identical to the same sections in Create Tunnels (SSH).

We do need to configure our SSL/TLS proxy, though.

Under Connection -> Proxy -> Select ‘Local’ and check ‘Consider proxying local host connections’ then enter ‘ncat –ssl-verify <FQDN of Dropbox Relay> 443’ without the quotes under ‘Telnet command, or local proxy command’. This assumes that you have nmap/ncat installed.

Putty Tunnels SSL – Proxy

The only other setting we have to change is directly under Connection. Change ‘Seconds between keepalives’ from 0 to something fairly low, like 10. For the SSH-only solution we don’t need to worry about this, but if you don’t stay constantly active with the SSL/TLS tunnel it will die unless this is modified.

Putty Tunnels SSL – Keepalives

After making all of your changes remember to go back up to Session and click Save.

Now select Open and you should be challenged for the passphrase to your private key. After entering it you will have an interactive shell on the Dropbox Relay and all of your tunnels should be tied to local ports.